Examining Security and Usability Aspects of Knowledge-based Authentication Methods

Abstract

Graphical passwords are considered to be one of the promising alternatives to conventional textual passwords. However, while offering potential theoretical improvements over their textual counterparts, it is important to evaluate how these authentication methods would fare in practice. In this study, we were interested in the user-generated passwords from the security and usability perspective. We conducted an experiment in which the participants were tasked to create and memorize three types of passwords: a textual password, a chess-based graphical password, and an association-based hybrid textual-graphical password. Two weeks after the initial registration, the users were prompted to login using their previously created passwords. By comparing the authentication methods, we showed that despite the graphical passwords’ advantages, the user-created chess passwords were the weakest, and the users had the most difficulty remembering them after the two-week period. On the contrary, the association-based passwords were just as strong and memorable as the textual passwords. The conclusions drawn from this paper are therefore two-fold: firstly, alternative authentication methods should be evaluated and compared against textual passwords in reallife scenarios to determine their practical value; and secondly, association-based approaches have the potential to augment both the security and memorability of the existing and novel authentication mechanisms.